Cloudflare Zero Trust: 


a 


CLOUDFLARE 


The fastest Zero Trust browsing and application access platform 


Risks beyond the perimeter 


When applications and users left the walls of the corporate 
perimeter, security teams had to compromise on how to 
keep data safe. Location-centric methods of securing 
traffic (like VPNs, firewalls, and web proxies) have broken 
down under pressure, leaving organizations with limited 
visibility, conflicting configurations, and excessive risk. 


With risks now persisting everywhere, organizations are 
turning towards Zero Trust delivered in the cloud to adapt. 
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Adopt Internet-native Zero Trust 


Cloudflare Zero Trust is a security platform that increases 
visibility, eliminates complexity, and reduces risks as 
remote and office users connect to applications and the 
Internet. In a single-pass architecture, traffic is verified, 
filtered, inspected, and isolated from threats. 


It runs on one of the world’s fastest Anycast networks 
across 270+ cities in 100+ countries to deploy faster and 
perform better than other providers. 
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S) Reduce excessive trust 


Protect apps with identity and 
context-based Zero Trust rules. 

Block ransomware, phishing and other 
online threats. Isolate endpoints from 
risks by executing untrusted web code 
far away from devices. 


©) Eliminate complexity 


Reduce reliance on legacy point 
products and apply standard security 
controls to all traffic — regardless of 
how that connection starts or where in 
the network stack it lives. 
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Restore visibility 


Comprehensive logs for DNS, HTTP, 
SSH, network, and Shadow IT activity. 
Monitor user activity across all apps. 
Send logs to multiple of your preferred 
cloud storage and analytics tools. 
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VPN replacement and augmentation (ZTNA) 


A faster, easier, and safer way to connect remote users to apps 


Challenge: Slow, complex, and risky VPNs 
Traditional VPNs are increasingly a liability. Sluggish 
performance hurts end user productivity. Administrators 
struggle with unwieldy configuration. Plus, VPNs make it 
easy for malware to spread laterally across a network. 


Accelerated cloud adoption and hybrid work have further 
exposed these flaws and made VPNs more vulnerable. 


Zero Trust Network Access (ZTNA) 

Cloudflare Access, our ZTNA service, augments or replaces 
VPN clients by protecting any application, in any 
on-premise network, public cloud, or SaaS environment. 


Access works with your identity providers and endpoint 
protection platforms to enforce default-deny, Zero Trust 
rules limiting access to corporate applications, private IP 


How it works 
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Key use cases 
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G Support remote work 
R and BYOD initiatives 
Verify access for all users, wherever 
they are, based on identity, device 


posture, authentication method, and 
other contextual factors. 


Enforce these Zero Trust policies for 
your hybrid workforce. Support 
bring-your-own-device (BYOD) 
initiatives by securing both managed 
or unmanaged devices. 


MBa ciounriare 


Verify every login and request 


(multi-SSO) 


spaces, and hostnames. 


co 


= cy 


Resource 


Clientless 
deployment 

for web-, SSH- or 
VNC-based 
self-hosted apps 
accessible via a 


Firewall protected ada browser. 
private routing aa = Self-hosted apps i 
— 
y Caa © Deploy with 
? & Internal IPs and Cloudflare’s 


DDoS protected 
reverse proxy 


In-browser Identity 
terminal proxy 


co 


oOo Streamline third party 
access with flexibility 


Speed up access setup for contractors, 
suppliers, agencies, collaborators, etc. 


Onboard multiple identity providers 
(IDPs) at once. Set least privilege rules 
based on the IDPs they already use. 


Avoid provisioning SSO licenses, 
deploying VPNs, or creating one-off 
permissions. 
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Add new users, identity providers, or 
Zero Trust rules in minutes. 


Unlock new productivity by reducing 
employee onboarding time (eTeacher 
Group) and moving away from 
IP-based access configuration 
(BlockFi). No need to hire dedicated 
staff to manage VPNs (ezCater). 
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Internet threat and data protection (SWG & RBI) 


Filter, inspect, and isolate Internet-bound traffic 


Challenge: Evolving threat landscape 

Leveling up security while keeping users productive has 
never been trickier. Remote work means more unmanaged 
devices storing more sensitive data locally. Meanwhile, 
ransomware, phishing, shadow IT, and other Internet-based 
threats have been exploding in volume and sophistication. 


Relying on legacy point solutions and data backups is a 
risky strategy to guard against the next ransomware threat. 


How it works 
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Block ransomware sites and domains 
based on our global network 
intelligence. Isolate browsing on risky 
sites to bolster protection. 


Combine SWG filtering and RBI with 
default-deny, ZTNA to mitigate the risk 
of ransomware infection spreading 
laterally and escalating privileges 
across your network. 
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Anycast | Resolver 


Filter known and ‘new’ / ‘newly seen’ 
phishing domains. Isolate browsing to 
stop harmful payloads from executing 
locally. Stop submission of sensitive 
information on suspicious phishing 
sites via RBI’s keyboard input controls. 


Plus, coming soon, admins will be able 
to activate email filtering with a single 
click — powered by Area 1. 


SWG with Zero Trust Browsing 

Cloudflare Gateway, our Secure Web Gateway (SWG), 
protects users with identity-based web filtering, plus 
natively-integrated remote browser isolation (RBI). 


Start with DNS filtering to achieve quick time-to-value for 
remote or office users. Next, apply more comprehensive 
HTTPS inspection, and finally, extend RBI controls to 
embrace Zero Trust for all Internet activity. 
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Prevent data leakage 


Implement data loss prevention (DLP) 
with file type controls that can stop 
users from uploading files to sites. 


Deploy Zero Trust browsing to control 
and protect the data that lives within 
web-based apps. Control user actions 
within the browser - like download, 
upload, copy-paste, keyboard input, 
and printing functionalities. 
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SaaS security (CASB) 


Streamline SaaS security for more visibility and control, with less overhead 


Challenge: SaaS app proliferation 


Cloud Access Security Broker (CASB) 


Modern workforces rely on SaaS applications now more Cloudflare's CASB service gives comprehensive visibility 
than ever. But SaaS apps are each configured differently, and control over SaaS apps, so you can easily prevent data 
require different security considerations, and operate leaks and compliance violations. 


outside the safeguards of the traditional perimeter. 


Block insider threats, risky data sharing, and bad actors. 


As organizations adopt dozens and even hundreds of SaaS Log every HTTP request to reveal unsanctioned SaaS 
apps, it comes increasingly challenging to maintain applications. Scan SaaS apps to detect misconfigurations 
consistent security, visibility, and performance. and suspicious activity. 
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protection controls 


Apply tenant control through HTTP 
gateway policies to prevent users from 
accessing and storing data in the 
wrong versions of popular SaaS apps, 
either inadvertently or maliciously. 


Control user actions (e.g. copy/paste, 
downloads, printing, etc.) within 
web-based SaaS applications to 
minimize the risk of data loss. 
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Mitigate and control Identify new threats 

Shadow IT and misconfigurations 
Minimize the risks introduced by Connect to popular SaaS apps (Google 
unapproved SaaS applications. Workspace, Microsoft 365, etc.) via API 


Cloudflare aggregates and and scan for risks. 


automatically categorizes all HTTP Empower your IT and security teams 
requests in our activity log by with visibility into permissions, 
application type. Administrators can misconfigurations, improper access, 
then set the status and track the usage and control issues that could leave 
of both approved and unapproved their data and employees at risk. 


apps across your organization. 
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Coming soon to Zero Trust: Cloud Email Security (CES) 


Extending Zero Trust to Email 


Challenge: Email is the #1 threat vector 


Email is the #1 way teams communicate, but also 
the #1 way attackers get through. In fact, a recent 
study found that 91% of all cyber attacks begin 
with a phishing email. 


Email makes everyone an insider, even people 
outside your organization like your vendors, 
partners, and customers. 


Bottom line: There is too much implicit trust in 
email, and attackers exploit this by spoofing 
common business workflows (e.g. password reset, 
file-sharing notifications) or trusted entities (e.g. 
CEO, a vendor / partner sending invoices). 


r Serre 


AREA 1 SECURITY 


On April 1 2022, Cloudflare completed the acquisition of Area 1 
Security, a leading cloud-native email security company that 
protects users from phishing attacks in email, web, and network 
environments. Read the announcement. 


Integrating cloud-native email security 


Adding Area 1 email security to Cloudflare Zero Trust removes implicit 
trust from email to preemptively stop phishing and business email 
compromise (BEC) attacks. Plus, save time on creating and tuning 
email threat policies. 


Through never trusting a sender, all user traffic including email is 
verified, filtered, inspected, and isolated from Internet threats. Area 1 
helps customers to stop advanced threats, adopt a proactive security 
posture, and reduce phishing incident response times by 90%. 


Email security will be integrated across our Zero Trust services, in 
powerful combination with RBI, CASB, and more. For example, are you 
skeptical about a link in an email, but don’t want to block it outright? 
Render it in an isolated browser and block text input just in case. 


How it works: Zero Trust for all internal & external network, web & email traffic 
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Security modernization: The Cloudflare difference 


Strong foundation for security modernization 


Deployment simplicity 


Cloudflare delivers a uniform and 
composable platform for easy setup 
and operations. With software-only 
connectors and one-time integrations, 
our Cloudflare on-ramps and edge 
services all work together. 


This leads to a better experience for 
your IT practitioners and end users. 


Network resiliency 


Our end-to-end traffic automation 
ensures reliable and scalable network 
connectivity with consistent protection 
from any location. 


With Cloudflare, every edge service is 
built to run in every network location, 
available to every customer — unlike 
with other security providers. 


Innovation velocity 


Our future-proof architecture helps us 
build and ship new security and 
networking capabilities very quickly. 


Whether it’s our rapid adoption of new 
Internet and security standards or 
building out customer-led use cases, 
our history of technical prowess 
speaks for itself, and our foundation 
provides extreme optionality. 


5 ways Zero Trust saves your business time and money 
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Optimized for usability 


One management interface 


Simplify configuration with a natively 
built dashboard for both application 
and Internet access policies. 


Use one dashboard to integrate with 
with identity providers, endpoint 
protections, and network onramps. 


Accelerate your Zero Trust journey 


One consolidated platform 


Replace a patchwork of VPN clients, 
on-premise firewalls, and other point 
security solutions with one platform 

and one control plane. 


Drive down costs and complexity as 
you move security to the edge. 
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Unrivaled user experience 


Cloudflare sits closer to your users and 
services and routes requests faster 
utilizing optimized, intelligence-driven 
routing across our vast Anycast 
network, with 270+ locations in more 
than 100 countries around the world. 


Contact us 
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